- From: Glenn Adams <glenn@skynav.com>
- Date: Fri, 17 Jun 2011 16:17:35 -0600
- To: W3C Style <www-style@w3.org>
- Message-ID: <BANLkTikyxKfNumf7-6BOnm6BBStq50i5dQ@mail.gmail.com>
To follow-up on this a bit more, it would be acceptable to include the basic intent expressed by section 4.8 if it were replaced with the following text: "If a user agent that makes normative use of this specification includes a same-origin policy, then that policy, and the mechanisms it uses to enforce that policy should apply to the loading of fonts via the @font-face mechanism." Even here, I am reticent to use the word "must" and instead use "should", since a UA implementer that employs cross-origin constraints should still be free to use this mechanism without necessarily using the same constraints. G. On Fri, Jun 17, 2011 at 3:33 PM, Glenn Adams <glenn@skynav.com> wrote: > In [1], section 4.8, are specified constraints on use of css 3 fonts > features, and, in particular, mandate cross origin reference constraints and > the use of CORS. > > Such constraints constitute policy requirements that are unrelated to the > definition of the underlying mechanisms defined by css3-fonts. Furthermore, > effective use of the defined mechanisms does not depend on such a policy. > Therefore, these policy requirements should be removed. > > If a specification defining UA behavior makes reference to css3-fonts and > wishes to impose such a policy, then it may do so independently, and without > affecting the functionality of the css3-fonts mechanism itself. Note that > under a heading of "Security Issues", it may be indicated that such a policy > may need to be defined and enforced by an external mechanism, defined > outside of this specification. > > Please consider this a formal comment (and objection) from Samsung to > imposing such policy constraints in this specification. > > Regards, > Glenn Adams (for Samsung) > > [1] http://dev.w3.org/csswg/css3-fonts/#same-origin-restriction >
Received on Friday, 17 June 2011 22:18:23 UTC